Closed Bug 625658 Opened 14 years ago Closed 14 years ago

JM: 64-bit: Crash [@ js::mjit::EnterMethodJIT] with regexp match

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 606882
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:critical][hardblocker])

Crash Data

for (var i = 0; i < 3; ++i) { "".match(/(?:(?=|(?=a?))(?!))*/); } causes a crash in mjit-generated code (64-bit only). The first bad revision is: changeset: f0458767cf4b user: Chris Leary date: Wed Nov 10 17:02:08 2010 -0800 summary: Encapsulate RegExpStatics more. (bug 610223, r=gal)
blocking2.0: --- → ?
The regex is obscure, but for now, blocking on investigation because it looks like it could be sg:critical.
blocking2.0: ? → betaN+
Whiteboard: hardblocker
Fixed by the patch for bug 606882. The cause overlaps, but shows up as a different signature. In this case, yarr doesn't allocate enough stack space for what it will use, so it smashes its stored value of $rbx, restores it as 0, and then crashes when it returns to jitcode.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Whiteboard: hardblocker → hardblocker, sg:critical
Whiteboard: hardblocker, sg:critical → [sg:critical][hardblocker]
Crash Signature: [@ js::mjit::EnterMethodJIT]
Group: core-security
You need to log in before you can comment on or make changes to this bug.